For businesses

Businesses must also prepare

Approximately 50% of companies fail following a major disaster affecting their business. The key to staying alive is to develop an effective contingency plan and implementing it correctly.

"We'll survive, we always have", "I am too busy making money", "I haven't the time, skill or resources", "I don't need it in my business".

These are just some of the responses to suggestions that companies plan for a major disaster. They are understandable, but they are a recipe for bankruptcy. Some recent press comments are also of particular interest:

"Contingency planning is the safety net of risk management", and "any public utility providing an essential service .... must have a well tested business contingency plan that is able to cope with any catastrophe and maintain continuity of supply".

Planning is the key

Statistics vary, but they suggest that, following a major disaster, approximately 50% of businesses fail to survive. Why? Simply, their customers desert them. Customer loyalty is very fragile. It takes years to develop but can be lost overnight. It makes sense to have a fall back position. From the perspective of any manager or CEO who want to maintain a functioning operation, to the board who could face shareholder/ stakeholder litigation, advance planning is the key. There are many cogent reasons why disaster management should form part of any organisation's business plan. How to go about putting in place a disaster recovery plan is straightforward. The implementation can, however, be complex.

Business Impact Analysis

Firstly, it is necessary to establish just what is a disaster to the organisation. There are the obviously man-made and natural perils such as fire, earthquake, flood and the like, but don't forget loss of reputation (a major risk to most organisations), loss of Information Technology and computerised processing functions (example - the millennium bug problem had a very real disaster potential), adverse exposure to contracts with penalty causes, legal and regulatory risk. Think laterally with particular emphasis on marketing and ability to service clients.

Terminology

Some of the terminology can at first glance seem somewhat bewildering. Organisations are being bombarded with the need for an emergency response plan, a contingency plan, a disaster recovery plan, and a business continuity plan.

No matter what you call it, the need is to have a pre-agreed plan to aid an organisation to work through any predetermined foreseeable 'contingency' and to survive.

Objectives

The overall objectives of the plan will essentially be as follows. (Obviously the detail will depend on the type of organisation, whether it be manufacturing, a service organisation, a government etc.)

  • Ensure the continuous availability of your business.
  • Protect assets (buildings, plant, people) and the profit earning capability.
  • Maintain customer confidence.
  • Identify the exposures to the business and corporate risks.
  • Develop recovery strategies and priorities.
  • Expedite restoration of services.
  • Minimise financial loss and embarrassment.
  • Maintain or gain competitive knowledge.
  • Meet legal obligations - employees, clients, shareholders, community.
  • Identify business process inefficiencies.
  • Identify single points of failure.
  • Maintain a positive image.

The Contingency Plan

Try and keep things as straightforward as possible and think of the overall plan as the contingency plan (CP).

Within the contingency plan, there will generally be three distinct stages of planning which need to be considered. These phases will each be time-dependent. The initial response (emergency response) may cover a timeframe up to about the first 24 hours. Thereafter, there will be the need to 'hold it together' or business continuity, which could extend from a day to several weeks followed by the return to normal operations over a period of weeks or even months.

In some organisations it may be relevant to develop an overall 'umbrella plan' ie, the big picture plan, within which more detailed divisional/departmental plans can be developed. However, both the umbrella and divisional/departmental plans should generally follow the above approach, with the restoration objectives being established under each phase. It may work like this.

The Three Stage Contingency Plan

The restoration objectives in terms of the business should have been clearly identified for each phase as part of the business impact analysis.

Phase 1 Immediate Response

Objectives: To secure hazardous conditions; establish the control organisation; provide initial status report. Phase 1 is likely to extend for the first 24 hours or so.

Phase 2 Business Continuity

Objectives: To effect minimum operational status; to review phase 1; to initially prepare for phase 3. Phase 2 is likely to extend for up to two weeks.

Phase 3 Disaster Recovery

Objectives: To provide an orderly programme for full operational restoration. Phase 3 may extend for six months or more.

Summary

  1. It doesn't matter what you call it - develop a plan as broadly or as detailed as your own needs may be. Typically a broad 'umbrella contingency plan' is sufficient which may need to be broken down to some detail in specific areas, eg IT, product recall procedures, plant level etc.
  2. Think of it more as a programme needing regular and ongoing review rather than a document to be filed and forgotten.
  3. Top management commitment is essential.
  4. Test the plan regularly and modify as may be necessary.
  5. Document the plan and ensure management are familiar with it.
  6. Ensure the necessary resources will be available as detailed in the plan.

Other Resources

Click these links for further information on business contingency planning.

Ministry of Civil Defence and Emergency Management

Ministry of Economic Development

Risk Management Standard - AS/NZS 4360:1999 www.mcdem.govt.nz